AT&T Alien Labs™ has identified a new tool from the TeamTNT adversary group, which has been previously observed targeting exposed Docker infrastructure for cryptocurrency mining purposes and credential theft. The group is using a new detection evasion tool, copied from open source repositories.
The purpose of this blog is to share new technical intelligence and provide detection and analysis options for defenders.
AT&T Alien Labs previously reported on TeamTNT cryptomining malware using a new memory loader based on Ezuri and written in GOlang. Since then, TeamTNT has added another tool to their list of capabilities.
The objective of the new tool is to hide the malicious process from process information programs such as `ps` and `lsof`, effectively acting as a defense evasion technique.
The tool, named libprocesshider, is an open source tool from 2014 located on Github, described as “hide a…